Port 137 Scans.
published: 2002-10-01

--- update ---
We now believe that these port 137 scans are due to the 'Bugbear'
mass mailing virus and the 'Scrup' worm.

Bugbear:
http://www.mcafee.com/anti-virus/viruses/bugbear/
Scrup:
http://vil.mcafee.com/dispVirus.asp?virus_k=99729

--------------

UDP packets for port 137 are nothing unusual. Windows file sharing uses
port 137 for its own NETBIOS name service, which is used similar to DNS
to translate IP addresses into netbios hostnames.

Frequently, Windows machines will use this function during regular Internet
activity, if asked to reverse resolve an IP address and not being able to
do so via DNS. In this case, the machine may connect to the IP it is asked
to reverse resolve and request a netbios host name.

However, aside from this very common and harmless activity, these lookups
are also a first step for accessing shared resources on the target machine.
As such, port 137 packets can be seen as initial reconnaissance and if
successful, a connection to the share resources using port 139 is sure
to follow.

There are a number of well known worm and IRC controlled 'bots' that
attempt to use unprotected shared drives to deposit malware or just to
use them as repositories for various 'warez'. Usually, these bots scan
given subnets sequentially, and depending on the size of the bot-network
and the size of the target network, these scans can be rather noisy.

Scans reported over the last few days appear to be more widespread then
these more commonly seen 'bot net scans'.

While we do have honeypots that appear to have been scanned, none of them
has been compromised at this point. However, given the ubiquity of port
137 scans under normal conditions, it is not certain if everyone is
reporting hits from the same 'bug'.

If you have more information, please share them with isc@incidents.org .


------------------------------------------------------------------------
Johannes Ullrich. CTO Internet Storm Center. isc@incidents.org